b"WIRELESS NETWORK SECURITY:\nInternal Controls Can Be Improved\n\n\nReport Summary:\nBecause of the security sensitive information contained in this report, we are only\nproviding a summary of the report.\n\n\n                                     Report No. OIG-A-2012-003 | December 7, 2011\n\x0c   NATIONAL RAILROAD\n   PASSENGER CORPORATION\n                                       Office of Inspector General\n\nDate:        December 7, 2011\n\nSubject:     Wireless Network Security: Internal Controls Can Be Improved\n             (Report No. OIG-A-2012-003)\n\nThe Office of Inspector General (OIG) conducted an audit of Amtrak\xe2\x80\x99s wireless network\nsecurity program. Our objectives were to (1) assess the adequacy of Amtrak\xe2\x80\x99s internal\ncontrols for wireless network security, and (2) assess the adequacy of Amtrak\xe2\x80\x99s wireless\nnetwork security policies.\n\n\nBACKGROUND\nAmtrak has installed wireless networks to allow its employees and contractors to\nconnect their laptops to Amtrak networks where wired networks are difficult and costly\nto implement. Wireless connections provide an economical and flexible solution to\naccessing corporate systems and information.\n\nWireless connections are inherently risky because information is broadcast over radio\nwaves and can be accessed easily. Therefore, wireless networks are vulnerable to\nattacks from unauthorized persons. Having effective internal controls over wireless\nnetworks is critical to preventing the success of such attacks. Our audit focused on\nAmtrak\xe2\x80\x99s wireless security policy and practices as well as broader computer security\nand usage policy.\n\n\nSUMMARY OF RESULTS\nWhile Amtrak\xe2\x80\x99s Office of Information Security has generally taken adequate measures\nto ensure that the company\xe2\x80\x99s wireless networks are secure and protect company\ninformation, some internal control weaknesses related to the wireless security program\nexist, along with some gaps in wireless security policies. These conditions occurred\nmainly due to weaknesses in oversight, policy enforcement, and the original security\nsystem design, as well as the lack of routine policy updates. The security control\nweaknesses related to encryption, passwords, and naming convention leave Amtrak\ninformation at risk of unauthorized access, modification, or destruction. As our audit\nprogressed, we discussed these findings with Amtrak management officials, who\nagreed and have begun taking corrective action. While we did not find any evidence of\n\x0c                                                                                        2\n                           Amtrak Office of Inspector General\n             Wireless Network Security: Internal Controls Can Be Improved\n                     Report No. OIG-A-2012-003, December 7, 2011\n\nsecurity breaches of the wireless network, the weaknesses we noted represent security\nvulnerabilities and increase the risk of an undetected penetration of the network.\n\n\nMANAGEMENT COMMENTS AND OIG RESPONSE\nIn commenting on a draft of this report, Amtrak\xe2\x80\x99s acting Chief Information Officer\nagreed with all of our findings and recommendations. The planned actions identified by\nAmtrak are responsive to our recommendations.\n\n\n\n\nOIG TEAM MEMBERS\nDavid R. Warren, Assistant Inspector General, Audits\n\nVipul Doshi, Senior Director, Audits\n\nVijay Chheda, Audit Manager\n\nBen Davani, Senior Auditor, IT\n\nAshish Tendulkar, Senior Auditor, IT\n\nMichael Baker, Senior Auditor, IT\n\nMichael P. Fruitman, Principal Communications Officer\n\x0c                                                                                           3\n                        Amtrak Office of Inspector General\n          Wireless Network Security: Internal Controls Can Be Improved\n                  Report No. OIG-A-2012-003, December 7, 2011\n\n         OIG MISSION AND CONTACT INFORMATION\nAmtrak OIG\xe2\x80\x99s Mission        The Amtrak OIG\xe2\x80\x99s mission is to\n\n                            \xef\x82\xa7   conduct and supervise independent and objective audits,\n                                inspections, evaluations, and investigations relating to\n                                agency programs and operations;\n\n\n                            \xef\x82\xa7   promote economy, effectiveness, and efficiency within\n                                Amtrak;\n\n\n                            \xef\x82\xa7   prevent and detect fraud, waste, and abuse in Amtrak\xe2\x80\x99s\n                                programs and operations;\n\n\n                            \xef\x82\xa7   review security and safety policies and programs; and\n\n\n                            \xef\x82\xa7   review and make recommendations regarding existing and\n                                proposed legislation and regulations relating to Amtrak's\n                                programs and operations.\n\nObtaining Copies of OIG     Available at our website: www.amtrakoig.gov.\nReports and Testimony\nTo Report Fraud, Waste,     Report suspicious or illegal activities to the OIG Hotline (you\nor Abuse                    can remain anonymous):\n\n                            Web:      www.amtrakoig.gov/hotline\n                            Phone:    800-468-5469\n\nCongressional and           E. Bret Coulson, Senior Director\nPublic Affairs              Congressional and Public Affairs\n                           Mail:     Amtrak OIG\n                                     10 G Street, N.E., 3W-300\n                                     Washington, D.C. 20002\n                           Phone:    202-906-4134\n                           Email:    bret.coulson@amtrakoig.gov\n\x0c"